BitLocker is a Windows feature that encrypts an entire drive, making its data inaccessible without a password. If you need to unlock a BitLocker drive for legal, investigative, or data recovery purposes and don't have the password, you can attempt to "crack" it using Hashcat. This guide walks you through each step in simple terms so anyone can follow along.
Note: Only perform this on drives you own or have legal permission to access.
Tools You'll Need
Hashcat: A powerful password-cracking tool you can download for free.
John the Ripper (bitlocker2john): Specifically, we need bitlocker2john, a tool within John the Ripper, to extract the BitLocker hash.
Disk Imaging Tool: To make a copy of the drive, use dd (Linux) or FTK Imager (Windows).
Wordlist (optional): For password guessing, you can use wordlists like rockyou.txt for common passwords.
Step 1: Set Up the Tools
1.1 Install Hashcat
Download Hashcat from Hashcat’s website.
Extract it to a folder on your computer.
1.2 Install John the Ripper (for bitlocker2john)
Download John the Ripper from John the Ripper’s GitHub page.
After installing, find the bitlocker2john script in the installation directory (it’s usually in a folder named run).
1.3 Install FTK Imager (if on Windows)
Download FTK Imager from AccessData’s website.
Follow the installation instructions.
Step 2: Create a Disk Image of the BitLocker Drive
The next step is to make a "clone" of your BitLocker-encrypted drive, so you can work with a copy rather than the original.
2.1 Using dd on Linux
Open a terminal.
Plug in your BitLocker-encrypted drive.
Identify the drive by running:
Copy code
lsblk
Find your drive name (it may look like /dev/sdb).
Create an image with dd:
Copy code
sudo dd if=/dev/sdX of=/path/to/bitlocker_image.img bs=4M
Replace /dev/sdX with your drive's name (e.g., /dev/sdb), and choose a file location for bitlocker_image.img.
2.2 Using FTK Imager on Windows
Open FTK Imager.
Select your BitLocker-encrypted drive.
Choose File > Create Disk Image and select a raw image format (.img).
Save the image to your computer.
Step 3: Extract the BitLocker Hash Using bitlocker2john
With the disk image ready, it’s time to extract the BitLocker hash.
Open a terminal (on Linux or use Command Prompt if on Windows).
Run bitlocker2john with this command:
Copy code
bitlocker2john /path/to/bitlocker_image.img > bitlocker_hash.txt
/path/to/bitlocker_image.img: Replace this with the path to your image file.
bitlocker_hash.txt: This will be the output file where the hash is saved.
Check the output in bitlocker_hash.txt. You should see a string that starts with $bitlocker$. This is the hash Hashcat will use to try unlocking the BitLocker drive.
Step 4: Choose an Attack Mode for Hashcat
Hashcat works by trying different passwords to unlock the hash. You can choose from three main attack types:
Dictionary Attack: Uses a list of possible passwords (wordlist).
Brute-force Attack: Tries all possible character combinations.
Hybrid Attack: Combines a dictionary with other characters.
Prepare a Wordlist (for Dictionary Attack)
If you have a file with common passwords, it can save time. You can download common wordlists like rockyou.txt online and use it with Hashcat.
Step 5: Run Hashcat to Crack the BitLocker Hash
With the hash and attack mode ready, you’re set to run Hashcat.
Hashcat Command Format
In Hashcat, commands follow this structure:
Copy code
hashcat -m <hash type> -a <attack mode> <hash file> <wordlist or pattern>
-m is the hash type; for BitLocker, use 22100.
-a is the attack mode: 0 for dictionary, 3 for brute-force, and 6 for hybrid.
<hash file> is the file where your BitLocker hash is stored (e.g., bitlocker_hash.txt).
<wordlist or pattern> specifies the file or pattern for Hashcat to try.
5.1 Example Commands
Dictionary Attack Example:
If using a wordlist named wordlist.txt:
Copy code
hashcat -m 22100 -a 0 bitlocker_hash.txt wordlist.txt
Brute-force Attack Example:
If you know the password length and type, you can specify this. For example, to try passwords of four uppercase letters followed by two numbers:
Copy code
hashcat -m 22100 -a 3 bitlocker_hash.txt ?u?u?u?u?d?d
?u represents uppercase letters, and ?d represents numbers.
Hybrid Attack Example:
Using a dictionary with two digits added at the end of each word:
Copy code
hashcat -m 22100 -a 6 bitlocker_hash.txt wordlist.txt ?d?d
Step 6: Monitor Hashcat’s Progress
As Hashcat runs, it will display information on progress, speed, and time remaining.
If Hashcat finds the password, it will show it in the output and save it in a file (usually named hashcat.potfile).
If Hashcat doesn’t crack the password, try a different attack mode, a longer wordlist, or a broader brute-force range.
Tips for Best Results
Use a GPU: Hashcat performs best with a GPU, which makes cracking faster.
Start Simple: Try common passwords first using a dictionary attack before moving to brute-force, which can be time-consuming.
Experiment with Wordlists: Many online wordlists contain common passwords and variations, so experiment to increase your chances.
Example Summary
Let’s quickly review the commands you’ll run from start to finish:
Create an Image of the drive:
Copy code
sudo dd if=/dev/sdX of=/path/to/bitlocker_image.img bs=4M
Extract the BitLocker Hash:
Copy code
bitlocker2john /path/to/bitlocker_image.img > bitlocker_hash.txt
Run Hashcat with a dictionary:
Copy code
hashcat -m 22100 -a 0 bitlocker_hash.txt wordlist.txt
Or, if brute-forcing:
Copy code
hashcat -m 22100 -a 3 bitlocker_hash.txt ?u?u?u?u?d?d
Conclusion
Decrypting a BitLocker drive with Hashcat might seem daunting, but by following these steps, you can systematically approach the task even as a beginner. Remember, this is a time-consuming process, especially if using brute-force methods, but with patience and the right setup, Hashcat can help you recover the BitLocker password. Just make sure to follow all legal guidelines for this process.
Emory “Casey” Mullis
Criminal Investigator
Coweta County Sheriff’s Office
Emory Casey Mullis has been in Law Enforcement for over 20 years, encompassing both military and civilian roles. His journey with computers began with a Gateway 266 MHz, which was the pinnacle of consumer technology at the time, costing around $2000. Driven by pure curiosity, he disassembled his new computer right out of the box, much to the dismay of his wife, who insisted, "It better work when you put it back together!" This hands-on experience provided him with a foundational understanding of computer hardware and sparked his career as a Cyber Investigator.
Over the years, Casey has tackled numerous cyber cases, continually honing his skills and knowledge. He emphasizes the importance of questioning, challenging, and testing daily to stay abreast of the latest tools, software, and technologies. Despite the ongoing challenges, he thrives on the dynamic nature of cyber forensics and eagerly embraces every opportunity to learn and grow in this ever-evolving field.
